52% of DSRs in the US came from unprotected states in 2022
DataGrail’s recent Privacy Trends 2023 report tracks the effects of increasing consumer privacy awareness and regulation by measuring and analyzing the number of data subject requests (DSRs) and data subject access requests (DSARs) processed from 2021 to 2022. Interestingly, more than half of data privacy requests in the United States come from people in states lacking consumer privacy laws.
Our findings are clear: Consumers are demanding the ability to exercise their privacy rights even if they live in unprotected states. Privacy Trends 2023 shows that companies should prepare to deal with rapidly increasing privacy requests from both privacy-protected and -unprotected territories.
Let’s look at some additional discoveries.
The U.S. urgently needs a federal privacy law
DSRs are privacy requests submitted by data subjects to access or modify the data a company holds on them. In 2022, DSR submission increased by a staggering 72% from 2021. Out of all U.S. requests, 52% came from people living in states without privacy laws. This is further evidence showing the growth of consumer privacy awareness is rapidly outpacing legal privacy protections.
DataGrail predicts privacy request volume will continue to increase from 2022 to 2023, driven by consumer concerns over how companies are using their data.
In response, several states are planning to implement consumer data privacy laws, including Colorado, Connecticut, and Utah. State-level privacy regulations will continue to fuel privacy awareness among Americans, forcing businesses to create data privacy management programs.
Demanding data privacy
Americans are rightly viewing privacy as a human right, according to DataGrail’s Great Privacy Awakening report. 8 of 10 U.S. consumers surveyed believe the country should have a federal law to protect their personal data. If they had the same rights as Californians under the CCPA, 60% of Americans would ask social media companies to delete and stop sharing their data.
However, data privacy as a whole remains confusing and frustrating for average consumers. 53% of U.S. consumers feel they have little control over their online identity, and 34% report feeling overwhelmed about managing their privacy.
To meet consumer demand, comply with regulations, and optimize operations for the data privacy era, companies must implement a transparent and efficient data privacy management program.
How businesses can prepare
As states work to pass individual privacy laws and add to the national patchwork of regulations, there’s a silver lining for companies. Although state laws will have nuanced differences, they’ll also have many similarities. As a result, companies working to reach the highest standards in privacy regulation ensure preparedness for the new state — and even federal — laws that may pass in the near future.
Managing data requests may sound like a no-brainer, but manually processing DSRs can prove costly. Gartner’s Market Guide for Subject Rights Request Automation estimates the average cost of manual DSR fulfillment to be $1,524 per request. As the request submission rate grows, so will the burden on company resources.
Additionally, fines for violating privacy laws continue to increase, most recently rising as high as ~$400 million for Meta’s violation of European privacy law. Gartner’s Market Guide states that the mishandling of subject rights requests is the primary source of complaints resulting in punitive action against companies.
Fortunately, DataGrail can help automate the DSR fulfillment process and streamline privacy operations to reduce resource strain and avoid potential violations. Companies taking a proactive, automation-driven approach are seeing massive returns on their privacy investment.
Data privacy can feel like a losing battle for consumers, especially those currently unprotected by law. Companies that prioritize protecting customer data and complying with the highest standards in privacy law — even if current regulations don’t apply — are setting themselves up to exceed customer expectations, avoid regulatory penalties, build trust, and succeed in the era of data privacy.